Pinterest Stumbleupon Whatsapp
Ads by Google

In 2012, LinkedIn was hacked by an unknown Russian entity, and six million user credentials were leaked online. Four years later, it’s transpired that the hack was far worse than we first expected. In a report published by Vice’s Motherboard, a hacker called Peace has been selling 117 million LinkedIn credentials on the Dark web for around $2,200 in Bitcoin.

While this episode is a continuing headache for LinkedIn, it will inevitably be worse for the thousands of users whose data has been splashed online. Helping me make sense of it is Kevin Shabazi; a leading security expert, and the CEO and founder of LogMeOnce.

Understanding The LinkedIn Leak: How Bad Is It Really?

Sitting down with Kevin, the first thing he did was emphasize the enormity of this leak. “If the figure of 117 million leaked credentials seems to look gigantic, you need to regroup yourself. In the first quarter of 2012, LinkedIn had a total of 161 million members. This means that hackers at the time did not just take 117 million records.”

“In essence they took away a whopping 73% of LinkedIn’s entire database of membership.”

These numbers speak for themselves. If you measure the data purely in terms of records leaked, it compares with other big-name hacks, like the PlayStation Network leak of 2011, or the Ashley Madison leak from last year 3 Reasons Why The Ashley Madison Hack Is A Serious Affair 3 Reasons Why The Ashley Madison Hack Is A Serious Affair The Internet seems ecstatic about the Ashley Madison hack, with millions of adulterers' and potential adulterers' details hacked and released online, with articles outing individuals found in the data dump. Hilarious, right? Not so fast. Read More . Kevin was eager to emphasize that this hack is a fundamentally different beast, however. Because while the PSN hack was purely to obtain credit card information, and the Ashley Madison hack was purely to inflict embarrassment on the company and its users, the LinkedIn hack engulfs a business-focused social network into mistrust”. It could lead to people questioning the integrity of their interactions on the site. This, for LinkedIn, could prove to be fatal.

3d illustration of a large brass key lying in front of an upright blue LinkedIn logo with rivets

Especially when the contents of the data dump raise serious questions about the security policies of the company. The initial dump included user credentials, but according to Kevin, the user credentials weren’t encrypted correctly.

Ads by Google

“LinkedIn should have applied a hash and salt to each password which involves adding a few random characters. This dynamic variation adds a time element to the password, that if stolen, users will have ample time to change it.”

I wanted to know why the attackers had waited for up to four years before leaking it to the dark web. Kevin acknowledged that the attackers had shown a great deal of patience in selling it, but that was likely because they were experimenting with it. “You should assume that they were coding around it while developing mathematical probabilities to study and understand user trends, behavior, and eventually password behaviors. Imagine the level of accuracy if you submit 117,000,000 actual inputs to create a curve and study a phenomenon!”

Kevin also said that it’s likely that the leaked credentials were used to compromise other services, such as Facebook and email accounts.

Understandably, Kevin is damningly critical about LinkedIn’s response to the leak. He described it as “simply inadequate”. His biggest complaint is that the company didn’t alert their users to the scale of the breech back when it happened. Transparency, he says, is important.

He also laments the fact that LinkedIn didn’t take any practical steps to protect their users, back when the leak happened. “If LinkedIn had taken corrective measures back then, forced a password change, and then worked with the users to educate them about security best practices, then that would have been OK”. Kevin says that if LinkedIn used the leak as an opportunity to educate their users about the need to create strong passwords How to Generate Strong Passwords That Match Your Personality How to Generate Strong Passwords That Match Your Personality Without a strong password you could quickly find yourself on the receiving end of a cyber-crime. One way to create a memorable password could be to match it to your personality. Read More that aren’t recycled, and are renewed every ninety days, the data dump would have less value today.

What Can Users Do to Protect Themselves?

Kevin doesn’t recommend that users take to the Dark web Journey Into The Hidden Web: A Guide For New Researchers Journey Into The Hidden Web: A Guide For New Researchers This manual will take you on a tour through the many levels of the deep web: databases and information available in academic journals. Finally, we’ll arrive at the gates of Tor. Read More to see if they’re in the dump. In fact, he says that there’s no reason for a user to confirm whether they’re been affected at all. According to Kevin, all users should take decisive steps to protect themselves.

It’s worth adding that the LinkedIn leak will almost certainly find its way to Troy Hunt’s Have I Been Pwned, where users can safely check their status.

HaveIBeenPwned

So, what should you do? Firstly, he says, users should log out of their LinkedIn accounts on all connected devices, and on one device change their password. Make it strong. He recommends that people generate their passwords using a random password generator 5 Ways To Generate Secure Passwords On Linux 5 Ways To Generate Secure Passwords On Linux It's crucial to use strong passwords for your online accounts. Without a secure password, it's easy for others to crack yours. However, you can get your computer to choose one for you. Read More .

Admittedly, these are long, unwieldy passwords, and are hard for people to memorize. This, he says, isn’t a problem if you use a password manager. “There are multiple free and reputable ones, including LogMeOnce.”

He emphasizes that choosing the right password manager is important. “Pick a password manager that uses ‘injection’ to insert passwords in the correct fields, rather than simply copying and pasting from the clipboard. This helps you to avoid hack attacks via keyloggers.”

firefox-password-manager-master-password

Kevin also stresses the importance of using a strong master password on your password manager.

“Choose a master password that is more than 12 characters. This is the key to your kingdom. Use a phrase to remember such as “$_I Love BaseBall$”. This takes about 5 Septillion years to be cracked”

People should also adhere to security best-practices. This includes the use of two-factor authentication Lock Down These Services Now With Two-Factor Authentication Lock Down These Services Now With Two-Factor Authentication Two-factor authentication is the smart way to protect your online accounts. Let's take a look at few of the services you can lock-down with better security. Read More . “Two-factor authentication (2FA) is a security method which requires the user to provide two layers or pieces of identification. This means you will protect your credentials with two layers of defense — something that you ‘know’ (a password), and something you ‘have’ (a one-time token)”.

Finally, Kevin recommends that LinkedIn users notify everyone in their network of the hack, so that they too can take protective measures.

An Ongoing Headache

The leak of over a hundred-million records from LinkedIn’s database represents an ongoing problem for a company whose reputation has been tainted by other high-profile security scandals. What happens next is anyone’s guess.

If we use the PSN and Ashley Madison hacks as our road-maps, we can expect cybercriminals unrelated to the original hack to take advantage of the leaked data, and use it to extort affected users. We can also expect LinkedIn to grovelling apologize to their users, and offer them something — perhaps cash, or more likely a premium account credit — as a token of contrition. Either way, users have to be prepared for the worst, and take proactive steps Protect Yourself With An Annual Security and Privacy Checkup Protect Yourself With An Annual Security and Privacy Checkup We're almost two months into the new year, but there's still time to make a positive resolution. Forget drinking less caffeine - we're talking about taking steps to safeguard online security and privacy. Read More to protect themselves.

Image Credit: Sarah Joy via Flickr

  1. Davies Hacker
    October 20, 2016 at 10:27 pm

    So many people would ask, What kind of Hacker For Hire services do we offer? Have you been hacked? Maybe your Email, Facebook, Twitter, Instagram, and many other type of online accounts have been jeopardized. Hack Nerds offers a wide range of services, we are able to hack into these accounts and hack them for you. Some of the Hacker for Hire services we offer are the best around they are simply unmatched not just the service but the entire process from start to finish we make everything at ease for you and make sure we get your job done, account or data back. For more enquires you can contact us at daviesmicheal6 cyberdude com or text us on (+1)513 437 0262 or visit our linkedin official page at Davies Micheal.

  2. Volkov
    June 28, 2016 at 11:14 am

    Depending on the type of attack, the password you provided as an example is not at all that hard to crack.
    Let's say you "like" Baseball, Horses, Flowers and Cars pages on facebook, a wordlist can be generated easily based on these "likes".

    If the hacker loads these into a wordlist and uses a dictionary, and tests against basic pre- and suffixes (i.e. I_LOVE_*, I_LIKE_*, *_IS_COOL, etc.), and throws in some special characters, it will take no longer than a few minutes to fin the password you provided.

    The BETTER thing to do is to use PHRASES instead of passwords like:
    "Me and Tina went TO thE BeaCh Yesterday And we Had So Much Fun Because We drank Doctor Pepper". Preferably based on fictious events.

    Only then will you be safe, at least for a while.

  3. anne
    May 23, 2016 at 5:12 pm

    Hello, my account was hacked a few weeks ago. It was a total nightmare.
    Some scammer named "Alex"in the Ukraine took over my company Pages and posed as the CEO and founder of my two companies and took over the admin role. What was most frustrating was LinkedIn support: it was close to zero. It took days for them to respond then another seven before they removed his name from my pages but the worse was that I never fully regained administrative control of my pages. I could not position myself as the CEO of my companies. As a result, I removed my profile from Linkedin and if anyone wants to reach me, they must visit my professional website.

    Bye bye LinkedIn.
    Anne Howard at ahmarketinggroup.com and RPRNmag.com

    • Matthew Hughes
      May 30, 2016 at 7:52 pm

      Ugh. That sounds horrendous. I'm so sorry Anne. :(

  4. A41202813GMAIL ..
    May 22, 2016 at 10:49 pm

    A - I Think The Dollar Character Triggers Any Post To Be Moderated,

    B - Looking At The Post Above, Having 4 Consecutive Equal Characters Should Activate That Trigger, Too.

    Just My 2 Cents.

    Cheers.

  5. A41202813GMAIL ..
    May 22, 2016 at 10:37 pm

    I Did Not Know MUO Was Also A Target For $PAM.

    This Is Ridiculous - This Post Was Not Moderated, But Posts From Longtime Users Sometimes Are.

    Sigh...

    • Mihir Patkar
      May 23, 2016 at 6:28 pm

      Sometimes the spammy comments aren't caught by WP, A41. I do my best to catch them manually, but hey, one guy against an army of robots :D It's gone now!

      • A41202813GMAIL ..
        May 25, 2016 at 11:34 am

        Thank You For Responding.

      • A41202813GMAIL ..
        May 27, 2016 at 12:14 am

        Sorry For The Insistence.

        As You May Have Seen, Spam Here In MUO Is Going Rampant, Recently.

        Manual Hunting Is Not Enough - Do Whatever It Takes To Automatize Moderation Triggers:

        A - Check For Any Currency Symbol ( Dollar Sign, Pound Sign, Whatever...),

        B - Check For, At Least, 4 Consecutive Equal Characters.

        ---

        Most Of The Times, These 2 Simple Rules Will Prevent Spam From Going Live Without Moderation.

        As I Said Before, Just My 2 Cents.

        Cheers.

        • Mihir Patkar
          May 27, 2016 at 8:42 pm

          Thanks A41. We're trying, but currency symbols are obviously used a lot on a tech and gadget site, so it's difficult to throw all of them into Pending. But we're employing new strategies, hopefully we'll see better filter results soon :)

        • A41202813GMAIL ..
          May 28, 2016 at 1:25 am

          Thank You For Responding.

  6. Lewis
    May 21, 2016 at 9:47 pm

    Good thing that I don't use LinkedIn.

    • A41202813GMAIL ..
      May 22, 2016 at 10:45 pm

      You Should, If You Ever Need To Find A New Workplace.

      This Is A Case Going Back 4 Years - Change Your Password Twice A Year And You Will Be Fine.

      Cheers.

    • Matthew Hughes
      May 30, 2016 at 7:53 pm

      Yeah. I'm with the other commentor. LinkedIn is really important when it comes to finding a new gig.

Leave a Reply

Your email address will not be published. Required fields are marked *